I'm maintaining a website running a highly modified old version of osCommerce. My web host offers several flavours of PHP on a per-domain basis (although I think I recall seeing an option to set the PHP version per-directory). Those are PHP4 safe mode, PHP4 CGI, and PHP5 CGI.
I am currently running PHP4 in safe mode. It has turned out that, if I want to add a module (gettext), I need to be in any of the other two modes. Is there reason to be afraid of turning safe mode?
Really you want to migrate to PHP 5 ASAP.
The big differences between PHP4 and 5 are with the OO features - a quick grep of your code for OO keywords (new, class) will give you an idea of how big your task is.
Also, off-the-shelf applications (particularly unpatched ones) can be a big security risk - you should definitely be thinking about how to separate the mods from standard code distribution of osCommerce.
As to switching off safe-mode - the big question is whether this is on a shared host or not. If it's a dedicated host then there's nothing much to be concerned about - but do restrict PHP file access to the webserver document tree, include paths and any data dirs (including the session dir). If it's not a dedicated host, then you should also be looking for detailled information from your hosting company on how the sites are isolated from each other.